University of Connecticut

smileybloatNetworking and Communications

Nov 20, 2013 (3 years and 11 months ago)

65 views

IT Security
smileybloat_65f925a2
-
91dc
-
4ea9
-
a8c1
-
856c1070df2b.doc

Page
1

of
17



I T S ECURI TY RI S K AS S
ES S MENT

University of Connecticut

<department name>










Prepared by:

, Director







March 26, 2008


Date of Last Review:


March 26, 2008

Storage Location:


Primary:



Alternate:




IT Security RA:
<department name>


Page
2

of
17


TABLE OF CONTENTS:

AS
SESSMENT OVERVIEW

................................
................................
................................
............................

3

P
URPOSE
:

................................
................................
................................
................................
................................
..............

3

S
COPE
:

................................
................................
................................
................................
................................
..................

3

A
SSUMPTIONS
:

................................
................................
................................
................................
................................
......

3

L
OCATION

................................
................................
................................
................................
................................
.............

3

C
ONTACT
I
NFORMATION
:

................................
................................
................................
................................
......................

3

SC
REENI
NG

................................
................................
................................
................................
................................
.

4

RISK
ASSESSMENT

................................
................................
................................
................................
..............

5

T
EAM
R
OLES AND
R
ESPONSIBILITIES

................................
................................
................................
................................
....

5

P
LANNIN
G
:

................................
................................
................................
................................
................................
............

6

B
USINESS
P
ROCESSES

................................
................................
................................
................................
...........................

7

S
YSTEMS
R
EQUIRED
:
................................
................................
................................
................................
.............................

7

U
NIQUE
A
SSETS
:

................................
................................
................................
................................
................................
...

8

D
ATA ON
S
TAND
-
ALONE
PC’
S
:

................................
................................
................................
................................
.............

8

H
ARDCOPY
F
ILES
:

................................
................................
................................
................................
................................
.

9

F
ILES USED BUT
O
WNE
D BY
O
THER
O
RGANIZATIONS
:

................................
................................
................................
..........

9

O
FFSITE
F
ILE
S
TORAGE
L
OCATIONS
:

................................
................................
................................
................................
....

9

N
ETWORK
D
IAGRAM
:

................................
................................
................................
................................
..........................

10

D
ATA
F
LOW
D
IAGRAMS
:

................................
................................
................................
................................
.....................

10

N
ETWORK
S
URVEYS
:

................................
................................
................................
................................
..........................

10

P
REVIOUS
R
ISK
A
SSESSMENT
(
S
):

................................
................................
................................
................................
........

10

S
ECURITY
P
ROFILE
:
................................
................................
................................
................................
.............................

11

T
HREAT
I
DENTIFICATION
:

................................
................................
................................
................................
...................

11

V
ULNERABILITY
I
DENTIFICATION
:

................................
................................
................................
................................
......

11

C
URRENT
S
AFEGUARD
I
DENTIFICATION
:
................................
................................
................................
.............................

12

R
ISK
P
ROFILE
:

................................
................................
................................
................................
................................
.....

12

T
HREAT
O
CCURRENCE
P
ROBABILITY
:

................................
................................
................................
................................
.

12

T
HREAT
O
CCURRENCE
I
MPACT
:

................................
................................
................................
................................
..........

12

O
CCURRENCE
E
XPECTED
I
MPACT
:

................................
................................
................................
................................
......

12

A
CCEPTABLE
E
XPECTED
I
MPACT
L
EVELS
:

................................
................................
................................
..........................

12

I
MPACT
S
TATEMENT
:

................................
................................
................................
................................
..........................

13

A
DDITIONAL
S
AFEGUARD
O
PTIONS
:

................................
................................
................................
................................
...

13

A
DDITIONAL
S
AFEGUARD
R
ECOMMENDATIONS
:

................................
................................
................................
................

13

A
SSESSMENT
I
NFORMATION
T
ABLE
:

................................
................................
................................
................................
...

14

AS
SESSMENT MAINTENANCE

PR
OCEDURES
:

................................
................................
..........

15

A
SSESSMENT
R
EVIEW AND
U
PDATE
P
ROCESS
:
................................
................................
................................
....................

15

A
SSESSMENT
D
ISTRIBUTION
P
ROCEDURES
:

................................
................................
................................
........................

15

AD
DITIONAL DOCUMENTATI
ON
:

................................
................................
................................
......

16

L
OCATION OF
S
UPPORTING
D
OCUMENTATION
:

................................
................................
................................
...................

16

AS
SESSMENT HISTORY
:

................................
................................
................................
................................
.

16

AS
SESSMENT SIGN OFF

................................
................................
................................
................................

17



IT Security RA:
<department name>


Page
3

of
17


Assessment Overview

Replace the “<department name>”text entries with the name of your department. Note any assumptions that apply to this
ri
sk assessment. For example, there may be areas of the department that are being excluded or organizational changes
that may impact risks.


Purpose:

This IT Security Risk Assessment will be updated in response to changes in the business environment.
Th
e <department name> will review the assessment at least annually.


This document records the information used to assess the IT security risks for the <department name>.
It includes the instructions for following the assessment process and recording the co
nclusions drawn
from the assessment.

Scope:

This assessment is applicable for the <department name> of the University of Connecticut.

Assumptions:

The assumptions listed below apply to this risk assessment.



.


Location

Provide the address of the departmen
t.


University of Connecticut



…, Storrs, CT 06269



Contact Information:

Identify the people that are authorized to review or update risk assessment information.



Primary Name &
Title

Contact Data

Alternate Name

Contact Data













IT Security RA:
<department name>


Page
4

of
17


Screening


T
he following questions will determine whether or not your department needs to perform an IT security risk assessment.


Some departments will find that their areas at risk are limited to an identifiable subset of the department. In those cases,

the asses
sment can target the area(s) at risk and exclude areas that have no significant risks.


Note that many departments keep local copies of student grade reports, faculty promotion and tenure information, or other
files. The primary copies of this information

are usually stored and maintained in other locations, but departments that
retain copies for local use are responsible for maintaining the privacy of the information.




Yes

No

Does your department or organizational unit store or maintain data that:



Is subject to mandated protection under HIPAA, FERPA, or other
Federal or State statutes?





Is any of this data classified as “registered confidential” or
“confidential” as defined in the University’s Policy on Data
C污lsif楣慴楯n?





Wou汤 瑨楳 d慴a

b攠proh楢楴楶ely 數pensiv攠(楮 瑥tms of 瑩m攬 money, or
o瑨敲 r敳eur捥s) 瑯 re
-
捲敡瑥t楦 汯s琠tr d慭慧敤?





䑯敳eyour d数慲tm敮琠tr org慮楺慴楯na氠ln楴im慮ag攠or suppor琠tompu瑩ng
r敳eur捥s (d慴愠b慳敳, h慲dw慲攬 w敢 p慧敳Ⱐ整挮) 瑨慴a慲攠used by p敯pl
攠瑨慴a
慣捥ss 瑨os攠r敳eur捥s from ou瑳楤攠your d数慲tm敮琿





C慮 p敯p汥l慣捥ss th攠捯mput楮g 敱u楰men琠us敤 by your d数慲瑭en琠tr
org慮楺慴楯n慬aun楴⁴hrough th攠楮瑥tn整e through d楡i
-
up 慣捥ss, or from n整work
d敶楣敳uts楤攠your d数慲tmen琿






敳⁡ny oth敲 d数慲瑭en琠tep敮d on d慴愠or 捯mpu瑩ng r敳our捥s 瑨慴ayour
d数慲瑭en琠trov楤敳e
















If you responded with “yes” to any of the questions, your department should complete a risk assessment as instructed
in the rest of this documen
t.


If you responded with “no” to all of the questions, your department does not need to complete a security risk
assessment. Retain a copy of this form with your recorded answers.








IT Security RA:
<department name>


Page
5

of
17



Risk Assessment

This section describes the activities for complet
ion of an IT Security Assessment at the University of Connecticut. (This
process is closely modeled after the process described in the Microsoft “Security Risk Management Guide” (which can be
downloaded from
http://www.microsoft.com/technet/security/topics/policiesandprocedures/secrisk/default.mspx
.) The
guide provides extensive discussion of risk assessment concepts, processes, and tools. While t
he University’s process most
closely follows the Microsoft guide, it incorporates process elements and tables from processes documented by NIST,
SANS, CMS, and the State of Connecticut’s Department of Information Technology.



Team Roles and Responsibili
ties

Identify the people responsible for planning and completing the assessment.


Title

Name

Contact Information




















IT Security RA:
<department name>


Page
6

of
17



Planning:

List the tasks that are required to complete the assessment.

#

Task

Assignment

1

Develop the work plan a
nd assign responsibilities for completing
tasks.


2

Introduce team to Risk Assessment concepts, processes, and tools.


3

Review inventory of assets and resources to verify completeness.
(This is trivial when the department’s Description & Inventory
docu
ment is current.)


4

Use existing information to prepare the department’s
Security
Profile
.


5

Identify threats to assets and resources.


6

Document vulnerabilities to those threats.


7

Document existing safeguards against threat/vulnerability
combina
tions.


8

Prepare the department’s
Risk Profile
.


9

Document the probability of the occurrence of each threat.


10

Document the impact of a threat occurrence.


11

Prepare the department’s
Impact Statement
.


12

Define the level at which the impacts of
risks become unacceptable.


13

Identify additional safeguards to be considered for safeguarding
against risks that have unacceptable impact levels.


14

Select the safeguards to be recommended for implementation.


15

Document the recommended safeguards.













IT Security RA:
<department name>


Page
7

of
17



The material in the following sections of the assessment document is copied directly from the Inventory and Description
document for this department. It presents the inventory of IT resources and assets that will be considered in this
asses
sment.


Business Processes

List the key processes performed at this location.


Processes

Description

Frequency

(daily /
weekly/
monthly)

Person
Performing Task










































Systems Required:

Provide a brief descriptio
n of the computer applications and databases used at this location.


System Name

Description

Criticality

Application
Type

(desktop / server
/ mainframe)

# Desktops
Installed

Owner

Technical
Contact




































Criticality Ratin
gs:

1


The organization cannot function without the system.




2


The organization can function partially without the system.




3


The organization can function fully without the system.






IT Security RA:
<department name>


Page
8

of
17


Unique Assets:

Provide a brief description of unique equipme
nt or other major assets used at this location.


Asset Description

Qty

Vendor

Details (model #s etc.)

Criticality

Location of
Asset

(Campus /
Building /
Floor)









































































Criticality

Ratings:

1


The organization cannot function without the asset.




2


The organization can function partially without the asset.




3


The organization can function fully without the asset.


Data on Stand
-
alone PC’s:

Provide a brief description of sign
ificant data files that are kept on stand
-
alone PC’s at this location.


Data Description

File
Name

Backup
Frequency

Backup
Storage
Location

University Data
Classification

Criticality

PC Owner







































































The University Data Classifications are defined in the University’s Data Classification Policy:



Registered Confidential


Confidential


For Internal Use


Public / Unclassified


Criticality Ratings:

1


The organization cannot function w
ithout the data.




2


The organization can function partially without the data.




3


The organization can function fully without the data.

IT Security RA:
<department name>


Page
9

of
17







Hardcopy Files:

List files that are retained on paper, microfiche, or microfilm.


Description
/Name

Qty

Loc

B
ldg/
Floor

Description of
Contents

Criticality

Dup.
Stored

Offsite

(yes or no)

Offsite

Location

Retention

Policy

Candidate
for
Imaging


(yes or no)































Criticality Ratings:

1


The organization cannot function without the f
iles.




2


The organization can function partially without the files.




3


The organization can function fully without the files.






Files used but Owned by Other Organizations:

List any files that are used at this location, but are stored at another

location and owned/maintained by a separate
organization.


Description

Criticality

Location

Contact Name









Criticality Ratings:

1


The organization cannot function without the files.




2


The organization can function partially without the fil
es.




3


The organization can function fully without the files.



Offsite File Storage Locations:

List files that are used at this location but stored at another location.


Description

Location

Contact Name

Who has Access?












IT Security RA:
<department name>


Page
10

of
17



Network Diagram
:

Include a diagram that shows the major components of the IT network infrastructure that supports the department.
Departments that are unable to prepare this should request the diagram from the UITS Network Support Group. The
diagram should show network

devices and gateways, data servers, network circuits, and classes of user workstations.







Data Flow Diagrams:

For each of the systems used by the department, include a diagram that shows the flow of data through the network
infrastructure. The diagra
ms should show data moving within departmental resources, leaving the department, and coming
into the department.









Network Surveys:

If programs like Nessus or SARA have been used to verify the inventory of devices on the network or to assess the
vul
nerabilities of those devices, include a summary of the findings of the scan.






Previous Risk Assessment(s):

Include a summary of the findings of previous IT Security Risk Assessments, if they provide useful input to this assessment.








IT Security RA:
<department name>


Page
11

of
17



Security P
rofile:

For each of the assets and resources included in the assessment (refer to the inventory tables shown above), indicate the
potential impact of loss of the resource. This is equivalent to the “exposure” level described in the Microsoft guide and th
e

“criticality” rating in the Description and Inventory document.


Criticality Ratings:

1


The organization cannot function without support are “high” impact.




2


The organization can function partially without support are “medium” impact.




3


The or
ganization can function fully without support are “low” impact.


The profile may be simplified by grouping individual assets or resources into groups as long as the grouping definition is
clearly stated.




Assets and Resources

N/A

Low

Medium

High

Sample
asset





All systems





All unique assets





Data on individual PC’s





䡡牤r潰y⁩渠 潢oy 晩fe⁡湤⁲n潭o
㄰1





䡡牤r潰y⁩渠 a獥浥湴⁡rc桩癥h





啃䡃⁦楬es













Threat Identification:

Review the assets and resources shown in the
Security Profile and list them in the Assessment Information table. Then use
the Assessment Information Table to document threats to those assets and resources. The files “Threat Table.doc” and
“Common Threats.doc” provide examples of common threats.



V
ulnerability Identification:

Use the Assessment Information Table to document the vulnerabilities that can be exploited. The file “Common
Vulnerabilities.doc” provides examples of common threats. Note that a single threat may have multiple vulnerabilitie
s.


H

M

L

IT Security RA:
<department name>


Page
12

of
17


Current Safeguard Identification:

Use the Assessment Information Table to document the safeguards that have been implemented to minimize the risks of an
occurrence of each asset/threat/vulnerability combination.



Risk Profile:

The marked columns of th
e assessment information table are the Risk Profile


documentation of the areas at risk


highlighting areas that are threatened with no current safeguards.



Threat Occurrence Probability:

Record an estimated probability of occurrence for each threat occ
urrence. These probabilities should be in the range from
0 to 1.0 and be recorded in .1 increments (for example .7 rather than .72).


This assessment only requires that a probability be assigned to each threat occurrence listed. It may be useful to
separ
ately document the reasons for choosing the assigned probability value for each threat occurrence.



Threat Occurrence Impact:

Record an estimated level of impact for each threat occurrence. These can be recorded on a scale from 1 to 10 (with 10 as
the gr
eatest impact) or as an estimated cost in dollars.


This assessment only requires that an impact level be assigned to each threat occurrence listed. It may be useful to
separately document the reasons for choosing the assigned impact level for each threat

occurrence.



Occurrence Expected Impact:

For each threat occurrence, multiply the probability of occurrence by the estimated impact of an occurrence. This
produces a
relative

measure of the expected impact of a threat occurrence. This measure can be co
mpared to expected
impacts of other possible occurrences without the effort required to determine precise costs of occurrences.



Acceptable Expected Impact Levels:

Record the level of impact of a threat occurrence that would be acceptable to the departmen
t. This assessment only
requires that an acceptable impact level be assigned to each threat occurrence listed. It may be useful to separately
document the reasons for choosing the assigned level.



If current safeguards result in an impact estimate that
is no greater than the acceptable level, no further safeguards are
needed. If the current safeguards do not reduce the estimated impact to a point below the acceptable level, additional
safeguards should be considered. In all cases, the “costs” associate
d with minimizing risk should be less than the “cost”
of the threat occurrence.



IT Security RA:
<department name>


Page
13

of
17


Impact Statement:

The marked columns of the assessment information table are the Impact Statement


documentation of the areas at risk


highlighting areas that are threaten
ed with no current safeguards.



Additional Safeguard Options:

Record any additional safeguards that could be considered for further reducing the impact of a threat occurrence.



Additional Safeguard Recommendations:

Record any safeguards that are recommen
ded for implementation to further reduce the impact of a threat occurrence.




IT Security
smileybloat_65f925a2
-
91dc
-
4ea9
-
a8c1
-
856c1070df2b.doc

Page
14

of
17


Assessment Information Table:



Risk Profile

Impact Statement



Assets and
Resources

Threat

Vulnerability

Current
Safeguard

Safeguard

Defense

Layer

Occurrence
Probability


(A)

Occurrence
Impact

(B)

Expected
Impact


(A x B)

Acceptable
Expected
Impact
Level

Additional
Safeguard
Options

Recommended
Safeguards















































































Defense layers are:

Physical/Adminis
trative


Probabilities are 0 to 1.0, in tenths




Application/System


Impact Levels are 1 to 10 or dollar amounts




Server/Workstation .

Network .

Data .




IT Security
smileybloat_65f925a2
-
91dc
-
4ea9
-
a8c1
-
856c1070df2b.doc

Page
15

of
17



Assessment Maintenance Procedures:

Assessment Review and Update Process:

Describe the process fo
r keeping the plan current.


Assessment Distribution Procedures:

Describe the process for distributing the plan and/or training people to use its content.








IT Security RA:
<department name>


Page
16

of
17


Additional Documentation:


Location of Supporting Documentation:

Document Name

Location

Description &
Inventory
Document


Risk Assessment


PC Inventory


BCP Document


Current network
diagram


Data flow
diagrams


Result of network
device
verification scan


DoIT Security
Evaluation
Report


Report from
Microsoft
Security Risk Self
Asses
sment






Assessment History:

Date

RevisionSummary

Revised By









IT Security RA:
<department name>


Page
17

of
17


Assessment Sign Off

This assessment accurately describes the information technology security risks faced by this
organization. The current and recommended safeguards shown in the

Assessment Information Table
provide an acceptable response to the documented risks.






________________________________________________


_______________

Director//Dean/Department Head






Date